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METHODS FOR GENERATING VARIABLE S-BOXES FROM ARBITRARY KEYS OF ARBITRARY 
LENGTH 

PROCEDES POUR GENERER DES ZONES DE SUBSTITUTION VARIABLES A PARTIR DE 
TOUCHES ARBITRAIRES DE LONGUEUR ARBITRAIRE 

Patent Applicant /Assignee : 

TELEDYNE INDUSTRIES INC, 
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Fulltext Availability: 

Detailed Description 

Claims 

Fulltext Word Count: 11383 
English Abstract 

A system for generating variable substitution boxes from arbitrary keys 
for use in a block cipher system utilizes an initial set of linearly 
independent numbers (13) to generate substitution tables (15). The 
initial set of linearly independent numbers (13) is modulated with the 
bits of an arbitrary key through operations that result in final sets of 
linearly independent numbers to form the substitution tables (15). The 
system also includes an implementation which allows for rapid key changes 
for the crypto system by only generating portions of the substitution 
tables as needed for specific blocks of input data to be encrypted or 
decrypted . 

French Abstract 

L ' invention concerne un systeme pour generer des zones de substitution a 
partir de touches arbitraires, prevu pour etre utilise dans un systeme de 
cryptage par codage de blocs. Ce systeme utilise un ensemble initial de 
nombres lineairement independants (13) pour generer des tables de 
substitution (15). L'ensemble initial de nombres lineairement 
independants (13) est module avec les bits d'une touche arbitraire par 
des operations qui se traduisent par des ensembles finaux de nombres 
lineairement independants pour former des tables de substitution (15). 
The systeme comprend aussi une mise en oeuvre qui permet d'effectuer des 
changements de touches rapides pour le systeme cryptographique en ne 
generant que des parties des tables de substitution requises pour des 
blocs specif iques de donnees d' entree devant etre codees ou decodees. 

Fulltext Availability: 
Detailed Description 

Detailed Description 

... Provide substitute values for the sub-blocks of plaintext. 
Descri j / Ltion of Related Art 

In DES , the S-Tables are organized into eight substitution boxes ( 
S - Boxes ), each of which consists of four, 16-entry S-Tables, where 
each S-Table entry. . . 



..i.e., 0000 through I I I I (0 through 15). The input to a DES S - 
Box is a 6-bit sub-block. Two bits determine which of the four S-Tables 



'to use and the remainilUf our bits index the selected S^PIble. In DES , 

a 56-bit key is used to generate a "schedule" of 16, 48-bit sub-keys. In 
each of the 16 iterations or "rounds" used by DES , one of the sub-keys 
is combined with a portion of the plaintext , or that round's 
derivative thereof, using an exclusive-or (XOR) operation. The 48-bit 
XORsum is then broken into eight, 6-bit sub-blocks and the S - Boxes 
are used to provide substitutions for those sub-blocks. 



Any block cipher system may be. 
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.SPECIFICATION in data blocks of a predetermined bitlength comprising a 
plurality of consecutive transformation rounds of half of each data 
block. Each consecutive transformation round comprises steps of combining 
the half data block with a first masking key of predetermined length 
using a first binary operation to generate a first modified half data 
block and combining the first modified half data block with a second 
masking key of predetermined length using a second (different) binary 
operation to generate a second modified half data block. The method 
further includes steps of processing the second modified half data 
block by a plurality of (m x n) mutually different substitution boxes 
to generate a third modified half data block, where m and n are 
positive integers and m<n, and XORing the third modified half data 
block with the remaining half of the data block to generate a 
transformed half data block of a transformation round. 



Brief Description of the Drawings 



Figure 1 is a known. . . 



...CLAIMS round function means has a first plurality of partially 

bent-function-based (m x n) s - boxes for processing key bits to 
generate a first masking key and a second masking key, and a second 
plurality of partially bent-function-based (m x n) s - boxes for 
processing the second modified data half . 

8. The data encryption method of cryptographically transforming 

plaintext into ciphertext in data blocks of predetermined bitlength 
according to claim 6, wherein. . . 

...round function means has a first plurality of partially 

bent-function-based (m x n) s - boxes for processing key bits to 
generate a first masking key and a second masking key, and a second 
plurality of partially bent-function-based (m x n) s - boxes for 
processing the second modified data half . 

9. The data encryption method of cryptographically transforming 

plaintext into ciphertext in data blocks of predetermined bitlength 
according to claim 8, wherein the first plurality of s - boxes 
comprises four partially bent-function-based 8x32 s - boxes and the 
second plurality of s - boxes comprises four partially 
bent-function-based 8x32 s - boxes . 

10. The data encryption method of cryptographically transforming 
plaintext into ciphertext in data blocks of... 

...addition modulo 2n) , subtraction modulo 2n) , and bitwise XOR can be used 
to combine the half data block with the first masking key and to 
combine the s - box outputs which result from the processing of the 
second modified half data block. 
14. The data encryption method of cryptographically transforming 
plaintext into ciphertext in data blocks... 
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Joint Development of Next-Generation Encryption Algorithm 'Camellia 1 by NTT 
and Mitsubishi Electric. 

Business Wire, 0529 
March 10, 2000 

LANGUAGE: English RECORD TYPE: Fulltext 

WORD COUNT: 1190 LINE COUNT: 00104 

... boxes) are designed to be suitable for small hardware. The key 

schedule can share a part of data randomizing and the memory 
requirement for subkeys is reduced. As a result, Camellia encryption 
hardware . . . 
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04623386 E.I. No: EIP9702351 9318 

Title: Improved Data Encryption Standard (DES) algorithm 

Author: Han, Seung-Jo; Oh, Heang-Soo; Park, Jongan 
Corporate Source: Chosun Univ, Kwangju, South Korea 

Conference Title: Proceedings of the 1996 4th International Symposium on 
Spread Spectrum Techniques & Applications 

Conference Location: Mainz, Ger Conference Date: 19960922-19960925 
E.I. Conference No.: 45960 

Source: IEEE International Symposium on Spread Spectrum Techniques & 
Applications v 3 1996.. p 1310-1314 
Publication Year: 1996 
CODEN: 85QWA7 
Language: English 

Document Type: CA; (Conference Article) Treatment: G; (General Review); 
T; (Theoretical) 

Journal Announcement: 9704W1 

Abstract: The cryptosystem which is most used throughout the world for 
protecting information is the Data Encryption Standard (DES) which was 
announced by National Bureau of Standard (NBS) . The DES must be stronger 
than the other cryptosystems in the security. But, because the process time 
required for cryptanalysis has lessened, because hardware technique has 
developed rapidly, the DES may be attacked by various kinds of 
cryptanalysis using parallel process. It may be especially vulnerable to 
attack by the differential cryptanalysis. Therefore, the DES will require 
strengthening to ensure cryptographic security in the days to come. This 
paper proposes design of a DES-like cryptosystem called the Improved-DES . 
The Improved-DES is a new algorithm. We show that the Improved-DES is 
stronger than the DES against differential cryptanalysis for cryptographic 
security. We will divide one data block (96 bits) into 3 sub-blocks of 
32 bits and then perform different f functions on each of the 3 sub-blocks, 
and then increase the S//1-S//8 of the S - boxes to S//1-S//1 // 6, 
satisfying the Strict Avalanche Criterion (SAC: p//i//j) and the 
correlation coefficient (p//i// j ) . Finally we will increase the key length 
to 112 bits. The analysis will show that the unicity distance (UD) in the 
Improved-DES is increased more than the DES 1 s UD. (Author abstract) 13 
Ref s . 

Descriptors: *Data communication systems; Cryptography; Standards; 
Security of data; Computer hardware; Correlation methods; Algorithms; 
Binary codes 

Identifiers: Data encryption standard (DES); Strict avalanche criterion 
(SAC) 

Classification Codes: 

902.2 (Codes & Standards); 723.2 (Data Processing); 716.1 (Information 
& Communication Theory) 

716 (Radar, Radio & TV Electronic Equipment); 723 (Computer Software); 
902 (Engineering Graphics & Standards); 722 (Computer Hardware) 

71 (ELECTRONICS & COMMUNICATIONS); 72 (COMPUTERS & DATA PROCESSING); 90 
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Author (s): Seberry, J.; Xian-Mo Zhang; Yuliang Zheng 
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p. 383-96 

Editor(s): Desmedt, Y.G. 

Publisher: Springer-Verlag, Berlin, Germany 

Publication Date: 1994 Country of Publication: West Germany vi+438 
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ISBN: 3 540 58333 5 

Conference Title: Advances in Cryptology - CRYPTO '94. 14th International 
Cryptology Conference Proceedings 

Conference Sponsor: Int. Assoc. Cryptologic Res.; IEEE Comput . Soc. Tech. 
Committe on Security & Privacy 

Conference Date: 21-25 Aug. 1994 Conference Location: Santa Barbara, 
CA, USA 

Language: English Document Type: Conference Paper (PA) 
Treatment: Theoretical (T) 

Abstract: Two significant recent advances in cryptanalysis, namely the 
differential attack put forward by Biham and Shamir (1991) and the linear 
attack by Matsui (1994) have had devastating impact on data encryption 
algorithms. An eminent problem that researchers are facing is to design S 

boxes or substitution boxes so that an encryption algorithm that 
employs the S - boxes is immune to the attacks. We present evidence 
indicating that there are many pitfalls on the road to achieve the goal. In 
particular , we show that certain types of S - boxes which are seemly 
very appealing do not exist. We also show that, contrary to previous 
perception, techniques such as chopping or repeating permutations do not 
yield cryptographically strong S - boxes . In addition, we reveal an 
important combinatorial structure associated with certain quadratic 
permutations, namely, the difference distribution table of each 
differentially 2-uniform quadratic permutation embodies a Hadamard matrix 

As an application of this result, we show that chopping a differentially 
2-uniform quadratic permutation results in an S - box that is very prone 
to the differential cryptanalytic attack. (17 Refs) 
Subfile: B C 

Descriptors: codes; cryptography; Hadamard matrices 

Identifiers: substitution boxes ; cryptanalysis; differential attack; 
linear attack; data encryption algorithms; S - boxes ; cryptographically 
strong S - boxes ; combinatorial structure; quadratic permutations; 
difference distribution table ; differentially 2-uniform quadratic 
permutation; Hadamard matrix 

Class Codes: B6120B (Codes); B6110 (Information theory); C1260 ( 
Information theory) ; C6130S (Data security) 

Copyright 1995, IEE 
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Digital stream signing method and system with reduced computation time 
for authentication , divides a data stream into blocks and adds 
ancillary information for authenticating the subsequent blocks and 
verifies a single digital signature 

Patent Assignee: INT BUSINESS MACHINES CORP (I BMC ) 

Inventor: GENNARO R; ROHATGI P 

Number of Countries: 001 Number of Patents: 001 
Patent Family: 

Patent No Kind Date Applicat No Kind Date Week 

US 6311271 Bl 20011030 US 97799813 A 19970213 200228 B 

US 99421819 A 19991020 



Priority Applications (No Type Date) : US 97799813 A 19970213; US 99421819 A 
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Patent Details: 

Patent No Kind Lan Pg Main IPC Filing Notes 

US 6311271 Bl 22 H04L-009/32 Cont of application US 97799813 

Cont of patent US 6009176 

Abstract (Basic) : US 6311271 Bl 

NOVELTY - The original data stream is partitioned into a 
sequence of contiguous blocks and the software processes the original 
stream and adds ancillary information to each of the original block 
for authentication. The authentication information placed in the first 
block will be used to authenticate the following blocks. The receiver 
verifies the signature of the first block and subsequently verifies 
hashes of the following blocks of a single digital signature. 

DETAILED DESCRIPTION - An INDEPENDENT CLAIM is also included for a 
program storage device to perform the method of authentication method 
for a combined stream of data . 

USE - Authenticating data stream in advance to the sender e.g. 
MPEG (Motion Picture Expert Group) . 
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checking the signature. The size of the authentication information 
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Abstract (Basic) : FR 2765056 A 

The encryption algorithm divides the data stream into blocks 
of 2 N octets, and the blocks are divided into a first and a second 
half. An exclusive-OR operation is performed between the second half 
and a rotation key of M octets. The result of this step is divided into 
L blocks of eight bits, and the first block is sent to a first S box 
, and each of the remaining blocks sent to a corresponding S - box 
after it has been combined with the output of the preceding S - box . 

The output of each of the S - boxes is rotated left, and the 
results used to form a new second half of the input block, while the 
old second half forms a new half. 

USE - USE - Encryption of digital audio streams 

ADVANTAGE - ADVANTAGE - Allows construction of encryption algorithm 
from blocks of fast algorithms to give fast encryption and decryption 
with algorithm that is resistant to differential and linear 
cryptanalysis . 
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The method is for cryptographically transforming between plaintext 
and ciphertext in data blocks of a predetermined bitlength in which the 
data blocks are processed sequentially through a number of 
transformation round. Each round includes 

expanding a half of a data block and XORing it with a subkey to 
generate a modified half data block. 

The modified half data block is processed by two or more sets 
of a number of different substitution boxes to generate a second 
modified half data block. The second modified half data block 
is then XORed with the remaining half of the data block to generate 
a transformed half data block of a transformation round. 

ADVANTAGE - The method is immune to differential and linear 
cryptanalysis and provides an internal key scheduling mechanism which 
generates no weak or semi-weak encryption keys 
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The data encryption method of cryptographically transforming 
plaintext into ciphertext in data blocks of a predetermined bit length 
includes several consecutive transformation rounds of half of each 
data block. Each consecutive transformation round involves combining 
the half data block with a first masking key of predetermined 
length using a first binary operation to generate a first modified 
half data block. The first modified half data block is combined 
with a second, masking key of predetermined length using a second and 
different binary operation to generate a second modified half data 
block. 

The second modified half data block is processed using several 
(m x n) mutually different substitution boxes to generate a third 
modified half data block, m and n being positive integer. The third 
modified half data block is XORed with the remaining half of the 
data block to generate a transformed half data block of a 
transformation round. 

USE /ADVANTAGE - Provides resistance to differential cryptanalysis 
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The system enciphers all data words of e.g. 16 bits to be stored 
into a computer using a product cipher circuit includes alternately one 
from several permutation boxes (1-1 to 1-11) and one from a number of 
substitution boxes (1-12 to 1-51) each box being under the control 
of a specific part of a key. 

The data words are enciphered in whole and the system can be 
regarded as a delay line. The data words can be combined with storage 
sector-specific coding words and with a key entered on an input device 
(2) . 

ADVANTAGE - Does not cause any delay that is noticeable to user. 
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ABSTRACT 

PROBLEM TO BE SOLVED: To increase the safety of a difference deciphering 
method and a linear deciphering method. 

SOLUTION: Similarly to the conventional DES(data encryption standard), 
input data is divided into two partial data R and L and the data R 
is nonlinearly converted by a nonlinear function means 304 with key data; 
and its output and the other partial data of the L are exclusively ORed 
and the array of the output and partial data R is converted into the 
data R and L, the same process is repeated and the input data are linearly 
converted 341 with key data in this case as a means 304 and the output is 
divided into bits inO and inl; and one of function structures 3430, 
3431... 3437 which are mutually and nonlinearly converted through three 
nonlinear means similar to one element S - box and three exclusive OR 
operations and inO and inl are inputted to the selected structure, whose 
outputs outO and outl are subjected to bit combination to obtain the output 
of the means 304 . 
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Abstract. Two significant recent advances in crypt analysis, namely the 
differential attack put forward by Biham and Shamir [3] and the linear 
attack by Matsui [7, 8], have had devastating impact on data encryption 
algorithms. An eminent problem that researchers are facing is to design 
S- boxes or substitution boxes so that an encryption algorithm that em- 
ploys the S-boxes is immune to the attacks. In this paper we present 
evidence indicating that there are many pitfalls on the road to achieve 
the goal. In particular, we show that certain types of S-boxes which are 
seemly very appealing do not exist. We also show that, contrary to previ- 
ous perception, techniques such as chopping or repeating permutations 
do not yield cryptographically strong S-boxes. In addition, we reveal 
an important combinatorial structure associated with certain quadratic 
permutations, namely, the difference distribution table of each differen- 
tially 2- uniform quadratic permutation embodies a Hadamard matrix. 
As an application of this result, we show that chopping a differentially 
2- uniform quadratic permutation results in an S-box that is very prone 
to the differential crypt analytic attack. 



1 Basic Definitions 

Denote by V n the vector space of n tuples of elements from GF(2). Let a = 
(ai... . ,a„ ) and 0 — (6i,...,6„) be two vectors in V n . The scalar product of 
a and /?, denoted by {a y 0), is defined by (a,/?) = ai&i (f) • • - <B a n b n , where 
multiplication and addition are over CF(2). In this paper we consider Boolean 
functions from V n to GF(2) (or simply functions on V n ). 

Let / be a function on V n . The ( I , — I )-sequence defined by (( — l)^ a °), 

is called the sequence of/, and the (0, l)-sequence 
defined by (/(a 0 ), /(ai), . . /(<>2»-i)) is called the truth table of /, where 

a 0 = (0,...,0,0), on = (0, 0, 1), .., = (1, 1,1)- / is said to be 

balanced if its truth table has *2 n " A zeros (ones). 

An affine function / on V n is a function that takes the form of / = a\Xy 0 
• - ■ 0 a fl x n 0 c, where aj , c £ G'F(2), j — 1 , 2, . . . , n. Furthermore / is called a 
linear function if c — 0. The sequence of an affine (or linear) function is called 
an affine (or linear) sequence. 

The Hamming weight of a vector n 6 l' rj , denoted by W(ac), is the number 
of ones in the vector. 



Y.G. Desmedt (Ed.): Advances in Cryptology - CRYPTO '94, LNCS 839, pp. 383-396, 1994. 
© Springer- Verlag Berlin Heidelberg 1994 



384 



A (1, -l)-matrix H of order m is called a Hadamard matrix if H H l = m/ m , 
where H t is the transpose of H and J m is the identity matrix of order m. A 
Sylvester- Hadamard matrix or Walsh- Hadamard matrix of order 2 n , denoted by 
H n , is generated by the following recursive relation 



rr u , W = 1, 2,-.. 



Now we introduce bent functions, an important combinatorial concept dis- 
covered by Rothaus in the mid I96'(Ts, although his pioneering work was not 
published until some ten years later [14]. 

Definition 1* A function / on V n is said to he bent if 

2 -f j2(-i) n * mf3 ' j:) = ±i 

*ev„ 

for every /? G V n . Here x = [x x , x n ) and f(x) & {/?, x) is considered as a real 

valued function. 

Bent functions can be characterized in various ways. In particular, the fol- 
lowing statements arc equivalent (see also [6]): 

(i) / is bent. 

(ii) — ±2^ n for any afflne sequence i of length 2 n , where £ is the sequence 
off. 

(iii) f(x) 0 f(x <& a) is balanced for any non-zero vector a £ V n , where a: = 
(xi,.. .,x n ). 

Annxfi S-box or substitution box is a mapping from V n to V Si where n > s. 
Now we consider a nonlinearity criterion that measures the strength of an S- 
box against differential cryptanalysis [3, 4]. The essence of a differential attack 
is that it exploits particular entries in the difference distribution tables of S- 
boxes employed by a block cipher. The difference distribution table of an n x s 
S-box is a 2 n x 2 s matrix. The rows of the matrix, indexed by the vectors in 
V n > represent the change in the input, while the columns, indexed by the vectors 
in V 5) represent the change in the output of the S-box. An entry in the table 
indexed by (a,/?) indicates the number of input vectors which, when changed 
by a (in the sense of bit-wise XOR), result in a change in the output by 0 (also 
in the sense of bit-wise XOR). 

Note that an entry in a difference distribution table can only take an even 
value, the sum of the values in a row is always 2 n , and the first row is always 
(2 n ,0,. . .,0). As entries with higher values in the table are particularly useful 
to differential cryptanalysis, a necessary condition for an S-box to be immune to 
differential cryptanalysis is that it does not have large values in its differential 
distribution table (not counting the first entry in the first row). 
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Definition 2. Let F be an n x s S-box, where n > a. Lei 6 be the largest value 
in differential distribution table of the S-box (not counting the first entry in the 
first row), namely, 

6 = max max UaHFfr) tfc Fix t£ a) = j3}\. 

Then F is said to be differentially 6-umforrn, and accordingly, 6 is called the 
differential uniformity of /. 

Obviously the differential uniformity 6 of an n x s S-box is constrained by 
2"~ 5 < 6 < 2". Extensive research has been carried out in constructing differen- 
tially ^-uniform S-boxes with a low 6 [1, 13, 2, 9, 10, 11, 12]. Some constructions, 
in particular those based on permutation polynomials on finite fields, are simple 
and elegant. However, caution must be taken with Definition 2. In particular, 
it should be noted that low differential uniformity (a small 6) is only a neces- 
sary, but not a sufficient condition for immunity to differential attacks. This is 
shown by the fact that S-boxes constructed in [1,9], which have a flat difference 
distribution table, are extremely weak to differential attacks, despite that they 
achieve the lowest possible differential uniformity /> = 2 n ~ 5 [4, 5, 15]. A more 
complete measurement that takes into account the number of nonzero entries in 
the first column of a difference distribution table is the robustness introduced 
in [15]. 

Definition 3. Let. F = . . .,/*) be an n x s S-box, where /,- is a function 

on Vny i — 1 s, and n > s. Denote by L the largest value in the difference 

distribution table of F, and by /V the number of nonzero entries in the first 
column of the table. In either case the value 2 n in the first row is not counted. 
Then we say that F is R- robust against, differential crypt analysis, where R is 
defined by 



Robustness gives more accurate information about the strength of an S-box 
against the differential attack than differential uniformity does. However, differ- 
ential uniformity has an advantage over robustness in that the former is easier to 
discuss than the latter. For this reason, differential uniformity is employed as the 
first indicator for the strength of an S-box against the differential attack, while 
robustness is considered when more complete information about the strength is 
needed. 

An n x s S-box F — (/i,...,/.,) is said to be regular if F runs through each 
vector in V 3 2 n ~* times while x runs through V n once. S-boxes employed by 
a block cipher must be regular, since otherwise the cipher would be prone to 
statistical attacks. For a regular n x s S-box, its differential uniformity is larger 
than 2 n " 5 (see also Lemma 2 of [17]). The robustness of the S-box is further 
determined by the number of nonzero entries in the first column of the table. 

We are particularly interested in n x s S-boxes that have the following prop- 
erty: for any nonzero vector a E V' n , F(x) & F(x 6 cv) runs through half of the 
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vectors in V,, each 2 ,l ~ a + l times, but not through the other half of the vectors 
in V n . With each row in the difference distribution table of such an S-box, half 
of its entries contain a value 2 n ~ 3+J while the other half contain a value zero. 
For simplicity, we say such a difference distribution table to be uniformly half- 
occupied. Clearly anus S-box with a U HO DDT or uniformly half-occupied 
difference distribution table achieves the differential uniformity of 2 n ~ a+1 . In 
Theorem 3 of [17], it has been proved that for quadratic S-boxes, 2 n "* +1 is the 
lower bound on differential uniformity. 

Note that a differentially 2-uniform permutation is also a permutation with a 
UHODDT, and vice versa. These permutations have many nice properties [13, 2, 
9, 10, 11, 12]. In particular, they achieve the highest possible robustness against 
the differential attack. The concept of n x 6 S-boxes with a UHODDT can be 
viewed as a generalization of differentially 2-uniform permutations. Hence nxsS- 
boxes with a UHODDT are very appealing and have received extensive research 
(see for instance [2]). 

There are two important questions about S- boxes with a UHODDT, namely 

(i) Do there exist S-boxes with a UHODDT ? If there do, how to construct 
them ? 

(ii) What is the robustness of an S-box with a UHODDT ? 

When n = -s, the answer to the first question is "yes". It has been shown 
in [13, 1L 2] that certain permutation polynomials on GF(2 n ) % n odd, have a 
UHODDT. So far no result has been known regarding the case of n > s. In 
Section 2, we will partially solve the problem by showing that there exist no 
quadratic n x s S-boxes with a UHODDT, if either n or s is even. The second 
question will be discussed in Section 3. We will prove that the robustness of an 
S-box with a UHODDT is very low. 

Another important question is the synthesis of S-boxes, namely 

(iii) How to construct S-boxes from existing ones ? 

This question will be discussed in Section 4. We will show that many synthesis 
methods which were previously taken for granted, in fact do not yield strong S- 
boxes, even though the starting S-boxes employed are all strong ones. Section 5 is 
solely devoted to the investigation of combinatorial properties of the differential 
distribution table of an quadratic permutation. We reveal a result that is very 
interesting even from the point of view of pure combinatorics, namely, every 
uniformly half-occupied difference distribution table of a quadratic permutation 
embodies a Sylvester- Hadamard matrix. 

2 Nonexistence of Certain Quadratic S-boxes 
2.1 On Quadratic S-boxes with a UHODDT 

As mentioned in the previous section, an n x s S-box with a UHODDT or uni- 
formly half-occupied difference distribution table achieves the differential uni- 
formity of 2"~* + l , and for quadratic S-boxes, 2 n ~ 5+1 is the lower bound on 



387 



differential uniformity. In the following we show an impossibility result, namely, 
there exist no quadratic S-boxes that have a UHODDT if either n or s is even. 

Assume that F — {f\ ,...,/*) is a quadratic ti x *> S-box with a UHODDT, 
where n > s. We prove that neither n nor s can be even. 

Recall that a vector a € V n is called a linear structure of a function / on V n 
if /(x) © /(x © a) is a constant. The set of the linear structures of / forms a 
linear subspace. The dimension of the subspace is called the linearity dimension 
of /. Let ... , oca*-] & e the 2" - 1 nonzero vectors in V n and g\ , . . . , #2»-i De 
the 2* - 1 nonzero linear combinations of /i , - • - 4 A - We construct a bipartite 
graph whose vertices comprise r>i , . . . , a^.... i on one side and <?i, . . . , ^2*_i on 
the other side. An edge or link between a; and gj exists if and only if a, is a 
linear structure of (jj . 

Theorem 2 of [17] states that n — ti is even, where is the linearity dimension 
of gi. Equivalently, n and £{ must be both even or both odd. Since each gi is 
balanced, it can not be bent. By Lemma 5 of [17], a quadratic function is bent if 
and only if it does tiot have linear structures. Hence we have Hi > 1. On the other 
hand, from the proof for Corollary 1 of [17], we have i t < n - 2. We distinguish 
the following two cases: 

Case 1: n is odd and it is 1, 3, 5, .... or n — 2. 

Case 2: n is even and £i is 2, 4,6,.. or n — 2. 

First we consider Case 1. Let pj denote the number of 1 < i < 2" — 1, such 
that t\ — j. Then we have a sequence of numbers p\ , p3, p.5, . . . , Pn-2- 

Obviously, 

Pi + •■• + pn-2 =2 3 - 1. (1) 

Since F is a S-box with a UHODDT, for any nonzero vector a* G V n 
F(x) ®F(x®a k ) = (/j (x) e /i (* * **)>■■■. /-(*) © © «*)) 

is not regular. Thus, by Lemma 6. there exists a linear combination of /i(x) ® 
A * • .»/*(*)©/■(*©<*!:), say flfj(x)effj(x©afc), such that gj(x)©ffj(x0 
orjt) is not balanced. Since yj{x) 0 0 ; *{x ® ttjfc) is affine, £j(x) ® gj(x ©oifc) must 
be constant. This proves that any nonzero vector or* € V n is a linear structure 
of a (/j , a linear combination of fy , . . . ,/ s . On the other hand, by Theorem 4 
of [17], for each a*, there exists at most one gj among g\, . . . ,<72»-i such that 
otk is a linear structure of gj. By the construction of the bipartite graph, each 
ock is linked to a unique gj. Also each gi with t\ — j has j linearly independent 
linear structures and 2 J - 1 nonzero linear structures. Hence we have 

(2 1 - l)pi + (2 3 - l)pa + (2 5 - l)p 5 + ■ ■ • + (2»- 2 - l)p n _ a = 2 n - 1. (2) 
From (1) and (2) we have 
(2 1 - 2) Pl + (2 3 - 2)p 3 + (2 5 - 2)p 5 + + (2"" 2 - 2)p n _ 2 = 2" - 2 5 
or equivalently 

(2 2 - 1) P3 + (2" - l)p5 + ■ ■ ■ + (2"~ 3 - l) Pn _ 2 = 2'-'(2»- - 1) (3) 



388 



Note that 2 k - 1 is divisible by 3 if and only k > 2 is even. Thus the left hand 
side of (3) is divisible by 3. This implies that the (2" _s - 1) part in the right 
hand side of the equation is divisible by 3. Hence s must be odd. Thus there 
exists no quadratic n x $ S-box with a UHODDT if n is odd (n > 5) and s is 
even. 

We now consider Case 2. Let. qj denote the number of 1 < i < 2 n — 1, such 
that ?i = j. Similarly to Case 1, we have a sequence of numbers </ 2 , ?4» </6, - • - , 9n-2, 
and 

?2 + ?4 + ?6 Hfln-V = 2* - 1, 

(2 2 - 1)« + (2« - 1)?4 + (2 6 - 1) V6 + . - - + (2 n - a - l)g n -a = 2 n - 1- 
By simple deduction, 

(2 3 - 2)g 4 + (2 s - 2) ?6 + • • • + (2"~ 3 - 2) V «-2 = 2"" 1 - 3 ■ 2- 1 + 1. (4) 

It is not hard to see that the left hand side of (4) is even when n > 4, while 
the right hand side of (4) is always odd for a > 2. From this we can conclude 
that there exists no quadratic n x s S-box with a UHODDT if n is even with 
n > 4. 

Summarizing Case 1 and Case 2. we have 

Theorem 4. For n > 4, there exists no quadratic n x s S-box with a UHODDT 
if either n or s is even. 

Theorem 4 can be viewed as an extension of Corollary 2 in [17], which states 
that there exists no differentially 2- uniform quadratic permutation on an even 
dimensional vector space. 

By Theorem 4, n x s S-boxes with a UHODDT do not exist if either n or $ is 
even. When n is odd and n — 5, as mentioned before, we do have differentially 
2- uniform quadratic permutation [13, 2, 11]. Thus a problem that is left open is 
whether there are quadratic S-boxes with a UHODDT for n > s, both n and s 
odd. It should be pointed out that an S-box which has an odd number of input 
bits and also an odd number of output bits may not be very useful in practice. 

2.2 An Extension 

The result in the previous subsection can be extended to a special kind of dif- 
ferentially 2"~ a+, -uniform quadratic. S-boxes. Let F be a n x s S-box such that 
for any nonzero vector a G V' n , F{x) 9 F(x & a) runs through 2*"* vectors in 
V sy each 2 n ~ s+t times, but not through the remaining 2 s - 2 s ~ l vectors in V S) 
where t > L. The case when t = 1 has been discussed in the previous subsection. 
In the following wc present a nonexistence result on the case when t > 1. 

Theorems. If n is odd and t is even, there exists no quadratic n x s S-boxes 
such that for any nonzero vector a € V n , F{x) F(x cx) runs through 2 S ~* 
vectors in V s , each 2 7i ~* +t times, but not through the remaining vectors in V*. 

The proof will be provided in the full version. 
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3 Columns of a UHODDT 

In the previous section we proved that there does not exist a quadratic n x s 
S-box with a UHODDT if either n or s is even. It is not clear whether or not 
higher degree S-boxes with a UHODDT exist. If there do exist such S-boxes, we 
would like to know whether or not they satisfy a more stringent requirement, 
namely high robustness. Results to be shown below give a negative answer to 
the question. 

The following lemma is exactly the same as Theorem 1 of [17]. 

Lemma 6. Let F = (fx , . . . , /,) be a mapping from V n to V S} where each fj is a 
function on V n . Then F is regular if and only if each nonzero linear combination 
of /i, . ■ yf$ is balanced. 

It is easy to show that the profile of the difference distribution table of an S- 
box is not changed by a nonsingular linear transformation on input coordinates 
(see for instance [2, 17]). In particular we have 

Lemma 7. Let F = be a regular S-box with a UHODDT or uni- 

formly half- occupied difference distributioii table. Let A be a nonsingular matrix 
of order n and B a nonsingular matrix of order s over GF(2). Then both Let 

G(x) = F(xA) = (h(xA) fn(xA)) andll(x) = F(x)B = (/,(*) /«(«))» 

are regular S-boxes with a UHODDT. 

By definition, each row in a uniformly half-occupied difference distribution 
table, except the first, contains an equal number of zero and nonzero entries. The 
following lemma shows that a similar result holds with columns in the table. 

Lemma 8. Let F be a regular n x s S-box with a UHODDT. Then each column, 
except the first, in the difference distribution table contains an equal number of 
zero and nonzero entries. 

Proof. Wc prove that for each nonzero fj (E K , there exist 2 U-A nonzero a 6 Vn 
such that F(x) 0 F(x $ft) = jd has solutions for x. 

Fix Xq € V n . Since the difference distribution tabic of F is uniformly half- 
occupied, F(x 0 ) (& F(x 0 8 a) runs through each nonzero 6 V' 5 2 n ~ s times 
while a runs through V n . As xo is arbitrary, for each nonzero /? £ K*> there 
exist 2" • 2 n " $ pairs (x,a) such that F(x) i£ F(x® a) = 0, where a ^ 0. On 
the other hand, since the difference distribution table of F is uniformly half- 
occupied, F(x)0 a) = fj either has 2"~* +1 solutions or has no solution 
for x. Thus for each nonzero 0 6 V, there exist 2" .2"- J /2 n ~* +l = 2"' 1 nonzero 
vectors o; E V n such that F(x) efr F{x & q) = fj has solutions for x. 

Recall that the robustness of an S-box is determined by the largest value in 
the difference distribution table of the S-box, and also by the number of nonzero 
entries in the first column of the table. The lemma described below gives the 
precise number of nonzero entries in the first, column of a uniformly half-occupied 
difference distribution table. 
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Lemma 9. Let F be a regular- n x a S-box with a UHODDT. Then there are 
2"" 1 — 2 3 " 1 nonzero entries in the first column of the difference distribution 
table (excluding the first entry). 

As an immediate consequence of Lemma D, we obtain the robustness of an 
S-box with a UHODDT: 

/?=[!- (2 n ' ] - 2- , )/2 n ](l -2 n -' + 1 /'2 u ) = (l/2+2- n+- - i )(l- 2- J+1 )- 

When n = s, we have K - 1 - 2~ ,l+l , which is the highest possible value for 
robustness. However, when s is relatively smaller than n t say n — s > 3, R is very 
close to 1/2. For comparison, wc note that the robustness of S-boxes constructed 
in [15) is at least 7/8. 

4 On Methods for Synthesizing S-boxes 

This section is concerned with methods for constructing S-boxes from existing 
ones. We show that a number of techniques which were previously taken for 
granted do not yield good S-boxes. 

4.1 Chopping Permutations 

Chopping permutations which are crypiographically strong has been conceived 
as a promising method to construct S-boxes for DES-like encryption algorithms. 
For this reason, many researchers have focused their attention on permutations, 
especially those on a finite field [2, 9, 10, 1L 12]. Results to be present in this 
subsection indicate that, contrary to the common perception, this practice does 
xiot produce good S-boxes. 

First we prove the following: 

Theorem 10. Let F = (f i , . . . , f $ ) be a regular n x s S-box with a UHODDT, 
where n > s and each fj is a function on V n . The following two statements hold: 

(i) Let 1 < /. < a — 1 and let G be an S-box obtained by dropping s—t component 
functions from F, say G = (/i , . . . ,ft). Then the difference distribution table 
of G is not uniformly half- occupied, 
(it) Let n> t > s + 1 and lei H be an S-box obtained by adding t —s component 
functions to F t say H = (/i ,...,/,, ft), where are 

newly added. Then the difference distribution table of H is not uniformly 
half- occupied. 

Proof, (i) Since F has a UHODDT, for any nonzero a ^ 0, F(x)®F(x®ac) runs 
through 2 s " 1 vectors in each 2 ri ~ 5 * H times, but not through the other 2 ,_1 
vectors in V s , while a runs through V n . Fix a nonzero vector, say y = (0, 0) E V s , 
where 0 is the zero vector in V t and {3 is a nonzero vector in V 5 -t- By Lemma 8 
there exist 2" ~* nonzero vector a such that F(z)$)F(x®a) =■ y has solutions for 
x. Thus there exist 2 n_1 nonzero vector a such that G(x*) ® G(x 0a) = 0, where 



391 



0 is the zero vector in V ti has solutions for -r. It is easy to show that G is not 
uniformly half-occupied. Since G is regular there exist 2 n ~ 1 -2 t ~ 1 nonzero vector 
a such that G(x) 0 G(x 9 a) = 0 (see Lemma 8) if G is uniformly half-occupied, 
(ii) follows (i). 

From Theorem 10 chopping a regular S-box with a UHODDT does not yield 
a regular S-box with a UHODDT. In particular, choppiug a differentially 2- 
uniform permutation on V n does not produce an S-box with a UHODDT. 

As quadratic permutations with a UHODDT or differentially 2-uniform quadratic 
permutations have been studied very extensively, an important problem is about 
the structure of the difference distribution table of an S-box obtained by chop- 
ping such a permutation. We will devote a single section, Section 5, to this topic. 

In addition to chopping permutations, other techniques, such as linear trans- 
forms or modulo operations on inputs or outputs of differentially 2-uniform per- 
mutations, and repeating differentially 2-uniform permutations, are also con- 
ceived as possible S-box synthesis methods. In the following we show that none 
of these methods generates an S-box with a UHODDT. 

4.2 Linear Transforms Applied on Inputs 

Let F be a differentially 2-uniform permutation on V Sy B a matrix of order n x s 
(n > if) over GF{2). Set G(y) ~ F(yB) where y 6 V n . Since the rank of D is 
s, yB runs through 2 s vectors in V 3 each 2""-' times while y runs through V n / 
Since F is a permutation on V 3 , G(y) is a regular n x a S-box. 

Unfortunately the difference distribution table of G(y) is not uniformly half- 
occupied. The reason is described in the following. Since 7?. > s there exists a 
nonzero vector, say £, such that 0B = 0, where 0 is the zero vector in V s . Note 
that G(y) © G(y g> j9) = F(yB) $ F((y ® f 1)B) = F{yB) ® F(yB © (3B) = 
F[yB) © F(yB) = 0, where 0 is the zero vector in V 3l for every y £ V n . 

4.3 Linear Transforms Applied on Outputs 

Let F be a differentially 2-uniform permutation on K, , and B a matrix of order 
n x s (n > s) over GF(2). Set G(x) = F(x)B. Note that the rank of B is s. 
Hence yB runs through 2 s vectors in V s each 2 n " s times while y runs through 
V n . As F is a permutation on V n , G is a regular u x s S-box. 

Since n > there exists a matrix of order n x (n — s), say D y such that the 
matrix A = [BJ9] of order n is nonsingular. Set &(z) = F(x)/1. By Lemma 7, 
# is a also a differentially 2-uniform permutation. By Theorem 10, G is not an 
S-box with a UHODDT. 

4.4 Connecting Permutations in Parallel 

Let F be a differentially 2-uniform permutation on V a . Set 
G(y) = (1 *a a + i)F(jr)^x JI + 1 F(a:©tv) 
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where x = (x u . . . , x 5 ), y = (x A , . . a E V,. Note that G(x,0) = F(x*), 

G(x, 1) = F(x 0 a). Since F is permutation on V» G is a regular (s + i) x .s 
S-box. 

Let /? = (a, 1). Clearly G(y e (3) = for every y G Thus G(y) * 

G{y © /?) = 0, where 0 is the zero vector in K 3 , for every y € V n . Thus the 
difference distribution is very bad in this case, and G(y) is not an S-box with a 
UHODDT. 

The above discussions can be extended to the general case where F is re- 
peated 2 k times, k > 1. 

4.5 Enlarging Inputs or Reducing Outputs by Modulo Operations 

Let a — (a^ . . . , o„) E V n . Rewrite a as a = ai $ 02X © • * ■ 0 <J n ^ n " 1 - Thus V'„ 
and the set of polynomials of degree at most n - I over GF(2) have a one-to-one 
correspondence. Let <r(x) be a primitive polynomial of degree s (s < n). For any 
a 6 Ki, we have 

a • = her 0 a 

where the degree of A is less than or equal to n — $ — 1, the degree of 57 is less 
than s. Thus we have defined a mapping from V n to V,: a — ► a. 

Now let £ be a vector in V n and £ a vector in V s . Let be a differentially 
2-uniform permutation on V 9 . Set G(£) = ^(O- This gives an n x 5 S-box. Note 
that £ 0 77 = £ 0 fj. This means that the mapping from V n to V 8> a — ♦ c? t is 
linear. Hence G(() is not an S-box with a UHODDT, although it is regular (see 
Subsection 5.1). 

Now let be a differentially 2-uniform permutation on V n - Set = 

<P(£). & is an n x 5 S-box. A similar argument shows that the difference distri- 
bution table of is not uniformly half-occupied, 

5 Hadarnard Matrices Embodied in Difference 
Distribution Table 

In this section we reveal a very important combinatorial property of differen- 
tially 2-uniform quadratic permutations, namely, every differentially 2-uniform 
quadratic permutation is associated with a Sylvester- Hadarnard matrix. As an 
application of the result, we show that chopping a differentially 2-uniform quadratic 
permutation results in an S-box whose difference distribution table is nearly flat. 
Such an S-box is very weak to the differential attack. 

5.1 Difference Distribution Tables and Incidence Functions 

Let F = (/i, . . . , f n ) be a differentially 2-uiiiforni quadratic permutation on V' n , 
namely, a quadratic permutation with a UHODDT or uniformly half-occupied 
difference distribution table. Let W Q be the set of vectors F(i)0 F(x$a) runs 
through when x runs through V n , namely, 



W Q = {F{x)®F(x®a)\xeV n } 



(5) 
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Obviously if a = 0 then W a = {0}. Since each j) is quadratic fj(x) 6 fj(x 0 «) 
is an affine function. 

Write / ; - &fj(zi$)a) = c^ari e ■ ■ ■ * c nj -a:„ * dj, j = 1, . ■ ■ Set C a = (c,;), 

<r 0 = (di d n ).Thus F(i)eF(i0tt) = iC 0 e<r 0 and W a - {F(x)®F{x<& 

€ V„} = {*C rt * <r ff |ir G Ki). 

Now let a ^ 0. Since F is a permutation, F(a;)® F(x6?a) ^ 0 for any x E V n . 
Hence 0 £ W„. Since F(0) tB F(or) = <x ft , we have <r„ ^ 0. And by the definition 
of a UHODDT, |IV Q | = 2"" 1 and hence rank(C t> ) = n - 1. Thus we have 

Lemma 11. Let F be a differentially 2-uniform quadratic permutation on V n - 
If a £ 0 then 

(i) 0 g W Q , («7 a* ± 0, |W a | = 2 n ~ l , and rani(C 0 ) = n - 1. 

Now set W° = {xC a |x G V„}. Then we have 

Lemma 12. Lei F be a differentially '2-uniform quadratic permutation on V n - 
If a £ 0 then V n = U W% and W a O W» = 

Lemma 13. Lei F he a differentially 2-uniform quadratic permutation on V n . 

Let a ^ 0. TAeu following statements hold: 

(i) UP, P € then I? € 
^ii; t//J e /?' E W° then G W n , 

(iii) if/3, 0 G W% then 0 ® & e 

Let F be a differentially 2-uniform quadratic permutation on V n and let W Q 
be the same as (5). For each a E V n we define an incidence function <p<* ^ 
follows: 

!0 if a = 0 
Lifo^0and/iG^ (6) 
Oif cx ± 0 and ft $ W n 

As is to be proved below, each y? a is in fact a linear function on V n , 

Lemma 14. Lei F be a differentially 2-uniform. quadratic permutation on V n . 
Then <p Q} defined in (6), is a linear function on V n for every vector a E V n . 

Lemma 15. Let F be a differentially 2-uniform quadratic permutation on V n . 
If a', then <p Q ^ <p a i. 

5.2 Hadamard Matrices in Difference Distribution Tables 

Lemma 14 states that each row of the differential distribution table is associ- 
ated with a linear function on V n , while Lemma 15 indicates that these linear 
functions are all different. Hence we have 
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Theorem 16. Let F be a differentially 2-umfoim quadratic permutation on V n . 
Then tp a runs through all linear functions on V 7 „ while a runs through the vectors 
inV n . 

Recall that ao,c*i, - • • »»2 n -i arc all the vectors in V nt with ao = (0, . . .,0), 
. . a^"-i = (1, . . 1). Let M = (m,j ) be a (1 , -l)-matrix defined by 



M is called the difference trait matrix at F. Essentially, M is a matrix obtained 
from the difference distribution table of the S-box by replacing each zero entry 
by I and each nonzero entry by —1, with an exception that the first entry in the 
first row is replaced by 1. 

Theorem 17. Let F be a differentially 2-uniform quadratic permutation on V n . 
Then A/, the difference trait matrix of F. is a Sylvester- Hadamard matrix if the 
row- order is ignored. 

Proof From Theorem 16, the 2 n rows of M comprise all the linear sequences of 
length 2 n . By Lemma 1 of [16], each linear sequence of length 2 n is a row of H n . 
Thus M can be changed to H n by re-ordering its rows. 

Obviously, W a , <p Q and M can be defined for any permutation on V^, not 
restricted to quadratic ones. 

Theorem 18. Let F be a differentially 2-uniform quadratic permutation on V n 
and M be th e difference trait matrix of F. Then the inverse of F is also a dif- 
ferentially 2-uniform permutation, whose difference trait matrix is the transpose 



Note that for a differentially 2-uniform quadratic permutation F based on a 
cubic polynomial on GF(2"), n odd, the algebraic degree of F~ l is larger than 
(n+ l)/2. By Theorem 18, both the difference trait matrix of F and that of F -1 
are Sylvester-Hadamard matrices (subject to re-ordering their rows). 

5.3 Chopping Quadratic Permutations 

Let F = (/i, . . -,/ ri ) be a differentially 2-uniform permutation on V n . Let G be 
an S-box obtained by chopping a component function of F, say G = (/2, ...,/« ). 
Similarly to VV a , <p and M corresponding to F (see (5), (6) and (7)), we can define 



(7) 



ofM. 



Ua = {G(x)<bCI{xftu)\xe !/„}, 



where a E V n , and the incidence function 



( 0 if tt = 0 



1 if ft ^ 0 and j3 £ U a 
K 0 if a 0 and 0 $ U« 
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each row of M is a row of H n . Now recall that M n = 



. Write 
is 



where G V n -\- 

Let ao» flfi, ■ • • , «'2 n -i De the ordered vectors in V rl and /?o. A , • • *-. A> n - l -i 
the ordered vectors in V rl _i. Define a 2 U x 2 n-1 (1. -l)-matrix, say N ~ (rti>)» 
where n y = (-l)^.^i). 

Write A/ = [/V7iA/ 2 ] where each M, is of order 2" x 2 n ~\ Mi = (my), and 
= ("^ty+L" 1 -' )• It is easy to see that V\>(/?) = 1 if and only if <Po{0 % p) — 1 or 
^aOi#) — 1. In other words, ny = —1 if and only if my = — 1 or rny+a*- 1 = — 1- 
Since F is a differentially 2- uniform quadratic permutation, by Theorem 17, 

H n ~\ H n -\ 

H n = (/i.j), t, j = L . . . ,2". We can see that -h iS = /iy +2 «-» if > 2"- 1 . This 
implies that /iy = -I or m^^n-i = -li 'f * > 2"~ l . Note that M and // n have 
the same set of rows. This proves that there exists 2"" 1 nonzero a € V n such 
that V'q is constant 1. In this case G(x) (BG{x$at) runs through every vector 
(including the zero vector) in for some 2"~ ! nonzero vectors a € V n and 

hence the robustness of G is less than ^. 

To summarize the above discussions, the difference distribution table of an 
S-box obtained by chopping a component function of a differentially 2-uniform 
quadratic permutation has the following profile: it. can be viewed as a folded 
(right to left) version of the uniformly half-occupied table of the original per- 
mutation, with half of the rows containing a value 2 in all their entries, and the 
remaining rows, not counting the first row, containing an equal number of Os 
and 4s. Similarly, chopping two component functions from a permutation results 
in an S-box whose difference distribution table is almost flat: it can be viewed 
as a twice-folded (right to left) version of the uniformly half-occupied table of 
the original permutation, and three quarters of the rows contain a value 4 in all 
their entries, while the remaining rows, not counting the first row, have an equal 
number of Os and 8s. This observation can be extended to the case when three 
or more component functions are chopped. 

In conclusion, S- boxes obtained by chopping deferentially 2-uniform quadratic 
permutations have an almost fiat difference distribution table, which renders a 
DES-like encryption algorithm that employs such S-hoxes very prone to the 
differential attack. 
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